HTTP: Microsoft Windows Media Player Skin Decompression Code Execution
This signature detects attempts to exploit a known code execution vulnerability in Microsoft Windows Media Player. It is caused due to a boundary error when decompressing the encoded data from WMZ and WMD files. A remote attacker can exploit this by enticing the target user to open crafted WMZ and WMD files, potentially causing arbitrary code to be injected and executed in the security context of the currently logged in user. In a simple attack case, the affected Windows Media Player can terminate when the malicious page is opened. In a sophisticated attack, where the malicious user is successful in injecting and executing supplied code, the behavior of the system is dependent on the nature of the injected code. Any code injected into the vulnerable component can execute in the security context of the currently logged in user.
Extended Description
Microsoft Windows Media Player is prone to a remote code-execution vulnerability when handling specially crafted compressed skin files. Attackers exploit this issue by coercing unsuspecting users to download and open Windows Media Player skin files (WMZ or WMD files). Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. This facilitates the remote compromise of affected computers.
Affected Products
Microsoft windows_media_player
Short Name
HTTP:STC:DL:WMP-SKIN-DECOMP
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2007-3035 Code Decompression Execution Media Microsoft Player Skin Windows bid:25307
Release Date
10/14/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3717
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
7.6